cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2676
Views
0
Helpful
8
Replies

ISE Integration with PEAP (Server side Cert)

dharmendra2shah
Level 1
Level 1

All,

We are currently evaluating ISE and I am stuck with the PEAP authentication (with Server side Cert).

Our current setup consists of two 5508 controllers, 30+ access point. For authentication we are using PEAP with (server side Cert). We have an IAS server which is also acting as a CA server.

We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations.

I would like to use ISE for authentication. I would like to use PEAP with Server side Cert (similar setup like IAS). I want ISE to perform the same function in addition to profiling etc.....

I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert).

Has anyone done this before? If yes then can you share step by step instructions?

I would also like to know if they used Microsoft’s CA server or Open SSL CA server or a third party CA server (Go Daddy, VeriSign etc.)

Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server?

Thanks in Advance

Ds

1 Accepted Solution

Accepted Solutions

well not exactly but i used parts from here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

I think you're good with what you done so far.

View solution in original post

8 Replies 8

Tarik Admani
VIP Alumni
VIP Alumni

Answers inline:

Our  current setup consists of two 5508 controllers, 30+ access point. For  authentication we are using PEAP with (server side Cert). We have an IAS  server which is also acting as a CA server. IAS and CA are two seperate roles that a windows server can run, just wanted to clear that up, that the IAS services still need a cert imported/signed for it to present a cert for PEAP server side certificate.

We are using Cisco’s NAM as a supplicant on Windows XP & 7 workstations. Good choice much better to control across different platforms

I  would like to use ISE for authentication. I would like to use PEAP with  Server side Cert (similar setup like IAS). I want ISE to perform the  same function in addition to profiling etc.....

I was able to integrate ISE with Active Directory but could not get it working with PEAP (server side Cert). You will need to generate a CSR from the ISE server (Go to Administration > Certificates > Local Server Cert.. > Add > Generate CSR > then go to the CSR container and export your CSR

Has anyone done this before? If yes then can you share step by step instructions? This response should answer your question

I  would also like to know if they used Microsoft’s CA server or Open SSL  CA server or a third party CA server (Go Daddy, VeriSign etc.) Who is "they" if you are authenticating users within an enterprise where laptops are issues by the corporation then you should save the cost and use your internal CA (windows), if this is a campus environment (BYOD) then you should get a public CA.

Can you we ISE as a CA server just the way we used Microsoft’s IAS Server as a CA Server? No.

Thanks in Advance

Ds

Tarik Admani
*Please rate helpful posts*

I was able to generate the CSR from ISE.  After generating CSR I exported the cert in a temp folder.

I have also installed a Microsoft CA server (windows 2008 R2) so the CA server can issue Cert to ISE. The problem I am having is CSR is in .PEM format and Microsoft does not understand that format. Therefore I used online tools to convert the cert in .DER or PKCS#12. But Microsoft doesn’t like it.

Do you have any suggestions?

Ds

The CSR should be in PEM format, my assumption is that you used the default SHA-256 to generate the request, try using SHA-1 and that should work.

Thanks,

Tarik Admani
*Please rate helpful posts*

edondurguti
Level 4
Level 4

Cisco recommends using 3rd party software to generate CRS, like openssl I did it and it worked fine.

I used godaddy cert (Go daddy glass 2), which on apple devices comes up as UNVERIFIED, so I don't know what's the point of buying it for PEAP (it does work for http ssl though).

For windows machines that are joined to a workgroup there is still a problem when users try to connect to a SSID,

eventhough you have a root cert as trusted on the machine, it comes up as unverified.

Seems like a windows7 bug, here is an article from windows.

http://support.microsoft.com/kb/2518158

and here

http://support.microsoft.com/kb/295663

Hope it helps.

Thanks Tarik !!!  Selecting SHA-1 instead of SHA-256 did the trick. One step closer.

Do you have step by step instructions to complete the CSR on Windows 2008 R2. Should we use the GUI method or use the IIS interface?

edondurguti: I am ok to use Open SSL as a CA server and then submit the CSR to open SSL. Do you have written instructions to perform that task?

well not exactly but i used parts from here:

http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a00806e367a.shtml

I think you're good with what you done so far.

Thanks edondurguti. I ended up submitting my CSR to DegiCert and it worked like a champ.

Ds

I am unable to do machine and user authentication using PEAP. I am not sure what is wrong with my Authorization policies.

On ISE side it says authenticated (user and machine separately) but on the client side. It says limited or no connectivity.

I am using AnyConnect 3.1 on the client side as a supplicant

ISE version is 1.1.1 with patch 3.

WLC version is 7.2.103.0

Is there a compatibility issue?